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ABSTRACT 


This thesis considers the problem of protecting an electrical power grid against a 
potential attack on its physical infrastructure. We develop a mathematical model, called 
“Defense of Known Interdictions” (DKI), that identifies the optimal set of components to 
defend in an electrical power grid given limited defensive resources. For a small test 
network, we show that defending fewer than 10% of the buses reduces the possible 
disruption from an attack by over 20%. Previous research has developed optimization 
models, called I-DCOPF, to find optimal or near optimal interdiction plans for electrical 
power grids. DKI solution time is determined by I-DCOPF solution time. We develop a 
model, called the Network Dual Relaxation (NDR), to replace I-DCOPF and reduce 
solution times. NDR approximates electrical power grid behavior as a minimum cost 
network flow and uses this approximation to quickly estimate a lower bound for the exact 
interdiction model. We test NDR on a portion of the North American power grid with a 
computational limit of 6000 seconds. Results with ten buses defended show that NDR 
finds solutions that are, on average, 40% better than those of the exact -DCOPF model 


with a significant reduction in computational time. 
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EXECUTIVE SUMMARY 


This thesis considers the problem of protecting an electrical power grid against a 


potential attack on its physical infrastructure. 


The size and complexity of the U.S. electrical power grid increase the potential of 
a large scale blackout such as the one that struck portions of the Northeastern United 
States and parts of Ontario, Canada on 14 August 2003. This blackout had an estimated 
economic cost of up to $10 billion, left some customers without power for four days, and 
highlights the vulnerability of the U.S. electrical power grid. A well-planned, deliberate 
attack against the power grid could have a far greater impact, both in terms of disruption 
of services and economic cost. Identifying how to optimally allocate limited resources to 


protect the power grid is the key to making it more resilient to such attacks. 


We develop mathematical models and algorithms to identify sets of components 
which, if protected, would minimize the damage from a potential, coordinated attack on 
one or more unprotected components. We integrate this model into the optimization 
module of the Vulnerability of Electrical Grids Analyzer (VEGA) decision-support 


system developed by researchers at the Naval Postgraduate School. 


A trilevel defender-attacker-defender (DAD) problem represents a two-person 
game between a defender who attempts to minimize potential damage to a system by 
protecting key components with limited defensive resources, and an attacker who seeks 
to inflict maximum damage by destroying vulnerable components with limited offensive 
resources. With fixed defenses, the DAD model becomes a bilevel attacker-defender 
model (AD) that optimizes interdiction decisions assuming that the system will be 


operated optimally after interdiction. 


This thesis develops a model called “Defense of Known Interdictions” (DKI), and 
an associated “DKI algorithm” to solve the DAD problem for electrical power grids. 
Previous research has developed an optimization model, “I-DCOPF,” to solve, at least 
approximately, the AD model for this problem. The DKI algorithm identifies a set of 
electrical components to protect (defend) by exchanging information with the -DCOPF 


XV 


model: For each specification of a protection plan, I/DCOPF generates a sequence of 
possible attacks (including the optimal one). For these attacks, the DKI model suggests a 
defensive plan. The I-DCOPF — DKI interaction continues with instances of protection 
and attack plans until it can be demonstrated that the incumbent defensive plan cannot be 


improved. 


We integrate the DKI algorithm into VEGA and test it using the IEEE Three Area 
1996 Reliability Test System (RTS 3-Area) network, consisting of 73 buses and 120 
lines. For this test network, we show that defending fewer than 10% of the buses reduces 
the possible disruption from an attack by over 20%. The DKI algorithm effectively 
solves the DAD problem for electrical power grids; however, solving I-DCOPF requires 
the majority of the computational time in the algorithm, over 99% of the time for all 


scenarios tested. This motivates the next part of the thesis. 


We explore one method to avoid the long solution times associated with I- 
DCOPF. Currently, I-DCOPF is solved using a decomposition-based algorithm in which 
a coordinating (master) problem and an operating (sub-) problem yield upper and lower 
bounds, respectively, on the optimal solution to I-DCOPF. By relaxing the electrical 
impedance constraints in the operating problem, we can approximate power-grid 
behavior as a minimum cost network flow. Using this approximation, we develop a 
model called Network Dual Relaxation (NDR) that quickly generates a solution that is 
often very close to the optimal solution to the original -DCOPF. We integrate this model 
into VEGA and carry out tests on the RTS 3-Area network. For all cases considered, 
NDR exactly predicts the optimal interdiction in less than 5% of the time required by the 
exact I-DCOPF model. We also test NDR on a portion of the North American power 
grid consisting of 5,000+ buses and 6000+ lines. With ten buses defended, and with a 
6000 second time limit, NDR finds solutions that are, on average, 40% better than those 


of the exact I-DCOPF model with a significant reduction in computational time. 
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I. INTRODUCTION 


Electrical power is a vital asset to the United States. This thesis considers the 
problem of protecting an electrical power grid from a potential attack on its physical 
infrastructure. Such an attack against an electrical generation and transmission grid in the 
U.S. could have severe consequences. Our objective is to develop and implement 
mathematical models and algorithms that optimally allocate limited defensive resources. 
In particular, these models identify sets of components which, if protected and thereby 
made invulnerable, would minimize the damage from a coordinated attack on a group of 
unprotected components. In order to accomplish this task, we extend previous research 
that seeks to identify critical components, from both an attacker’s and defender’s 


perspective. 


A. VULNERABILITY OF THE U.S. ELECTRICAL POWER GRID 


Electricity powers everyday life, and modern society depends on reliable 
generation, transmission, and distribution of electrical power. The National Strategy for 
the Physical Protection of Critical Infrastructures and Key Assets [U.S. Department of 
Homeland Security 2003] emphasizes that, “were a widespread or long-term disruption of 
the power grid to occur, many of the activities critical to our economy and national 


defense...would be impossible.” 


Disruptions in electrical power service can come from various sources. On 14 
August 2003, a combination of weather, equipment failure, and operator error resulted in 
a massive blackout over large portions of the Northeastern United States and parts of 
Ontario, Canada. Some locations did not have power restored for four days. The 
estimated cost of the blackout was between $4 and $10 billion to the U.S. and $2 billion 
to Canada [U.S.-Canada Power System Outage Task Force 2004]. Although human error 
contributed significantly to its final extent, the blackout began inconspicuously when 
high voltage transmission lines contacted overgrown trees. This incident highlights the 
vulnerability of the electrical power grid and the economic consequence of disruptions of 


service. 


Electrical power providers continuously monitor their transmission grids to limit 
the likelihood of large-scale blackouts. In electrical power engineering, system security 
standards such as “N—1” and “N—2” entail operating the transmission grid so that the loss 
of one or two components, respectively, does not cause a cascading blackout [Wood and 
Wollenberg 1996]. These standards ignore malicious attacks that could cause the failure 
of more than two components, and they also ignore the loss of a multi-component 
systems, such as substations, which may have several buses and transformers in a single 


geographic location. 


With the increased threat of terrorist activity, electric companies must face the 
possibility of deliberate, intelligent attacks against the transmission grid. In the National 
Transmission Grid Study, the U.S. Department of Energy [2002] states that “new 
technologies and operating practices are now needed to protect the transmission system 
against deliberate, coordinated attacks.” Accordingly, the North American Electric 
Reliability Corporation (NERC), the organization tasked with improving the reliability 
and security of the power system, has established a Critical Infrastructure Protection 


Committee to assess the cyber and physical security of the electric transmission grid. 


The immense size of the U.S. electrical transmission grid makes physical 
protection of all its components impossible. Certain components of the transmission grid 
such as generation plants and control centers are staffed continuously and have multiple 
layers of physical security. Other critical components, such as substations, are routinely 
unattended, and therefore more vulnerable to attack. Many substations are considered 
critical assets, meaning their loss “would have a significant impact on the ability to serve 
large quantities of customers for an extended period of time” [NERC 2004]. Proper 
identification of the sets of most critical components is a necessary step to ensure that 
limited resources are optimally allocated to enhance the reliability and security of the 


U.S. power grid. 


B. SYSTEM INTERDICTION AND DEFENSE 


In a “system-defense model,” a “defender” seeks to limit the amount of damage 


an aggressor can inflict by attacking the defended system. The defender uses limited 
2 


defensive resources to protect certain system components, making them less vulnerable to 
attack. In order to properly identify the crucial components to defend, the defender must 
understand how a potential aggressor would attack or “interdict” the system. System 
interdiction refers to the attacker’s role. The “attacker” seeks to inflict maximum damage 


by destroying system components using limited offensive resources. 


The system-defense problem can be viewed as a three-stage, two-person game 
between the defender and attacker. First, the defender hardens or protects certain system 
components. Next, the attacker, knowing which components are protected and which are 
not, interdicts (attacks and destroys) unprotected components in order to inflict maximum 
damage. Finally, the defender operates the undamaged portion of the system in the most 
efficient manner. In an electrical grid, this will typically mean minimizing the post- 
attack “disruption,” i.e., unmet demand for electricity. (Disruption can also include 
increased costs for meeting any or all demand.) As described, the defender has two roles: 
to physically protect the system, and to operate the system efficiently. Although these 
roles are often filled by distinct entities, they share a common goal and can be viewed as 


a single player in this two-person game. 


Mathematical models can be used to solve this system-defense game. Brown, 
Carlyle, Salmeron, and Wood [2006] propose a trilevel defender-attacker-defender 
(DAD) model to find optimal sets of components to defend, given worst-case interdiction 
and optimal, post-interdiction, system operation. With fixed defenses, the DAD model 
becomes a bilevel attacker-defender (AD) model that optimizes system interdiction given 


optimal, post-interdiction, system operation. 


The basic model for the AD and DAD problems has the defender fill the role of 
system operator. Here, the defender seeks to minimize “cost” by efficient operation of 


the system. The defender’s problem (D) can be expressed as: 


(D) min cy 


yeY 
where c is a vector of component operating costs and y is the activity level for each 


component. All operating constraints are represented byyeY. “Activity level’ will 


represent current flow, or generation, or level of unmet demand in our electric-power 


problem, Costs will include costs of generation as well as penalties for unmet demand. 


The attacker seeks to inflict maximum damage by interdicting components in the 
system. This damage can be viewed as additional costs that the defender must incur by 


operating the interdicted system. The bilevel attacker-defender (AD) problem is: 


(AD) max min cy 


xeX yeY(x) 
where x is a binary vector that defines which system components are interdicted, 
x € X represents the set of constraints on the attacker’s resources (and the fact that x must 


be binary), and Y (x) represents feasible operating conditions for the defender after 


attack x. AD assumes that the attacker has perfect information regarding the system, 
including how the defender will operate the system after any given attack. This is a 


reasonable, conservative assumption for the defender. 


The final step is to protect key components in the system, making them 
invulnerable to attack. (Defenses that imbue only partial invulnerability can also be 
modeled with this paradigm.) This level of defense creates the following trilevel 


defender-attacker-defender model: 


(DAD) min max min cy, 
weW xeX(w) yeY(x) 


where w is a binary vector indicating which components are defended (protected), 


w &€ Wis the set of constraints imposed on the defender, and X (w) is the set of feasible 


attacks after defense. 
1. Interdicting Electrical Power Grids 


The bilevel AD model can be used to find optimal attacks on electrical power 
grids. Salmeron et al. [2003, 2004-I, 2004-I, 2005, 2007], Alvarez [2004], Carnal 
[2005], and Schneider [2005] have applied these techniques to study power-grid 
interdiction, where the aggressor attacks components in the grid to maximize disruption. 
Disruption may be expressed as “total load shed” which is total unsatisfied demand for 


electricity expressed in terms of either power or energy, or as a cost with a dollar value 


per unit of load shed. The latter case is desirable if the cost of load shed varies among 
buses and/or customer sectors. For example, shedding power from a hospital could be 
deemed more costly than from a residential area. (Actually, “total disruption cost” will 
also include increased generation costs resulting from interdiction, but these will 
normally be much smaller than the penalty costs for unmet demand and can be ignored 


for the most part.) 
a. DCOPF 


The basic operating model (the “D” model in “AD”) is known as the 
Direct Current Optimal Power Flow model (DCOPF). This model minimizes the total 
cost of operating an electrical power grid by proper selection of power generation levels. 
Total cost is defined as the cost of generating electricity plus a penalty cost for load shed. 
Power generation levels determine the amount of load shed and the phase angle at each 


bus, which determines the amount of power each line carries. 


Appendix A.1 provides the formulation for DCOPF. That formulation 
includes DC lines which are omitted from the following discussion for brevity. The 


objective function, Equation A.1 is shown below: 


min her + DD feSe 
g i G 


pom pune $6 
The first term represents the cost of generating power; the second represents the cost of 


load shed. 


Equation A.3 is the balance-of-flow constraint: 


yee _ > pe + >; pe = Y (die -~S,.) Vi 
g lo(1)=i Nd (l)=i c 
This states that for each bus i, the amount of power generated at the bus plus the net 


power inflow at the bus equals satisfied demand less unsatisfied demand (total demand 


minus load shed). 


The electrical impedance constraint, Equation A.2, is shown below: 


PY = B, OF 7 A) Vi 
This equation relates the power on a line to that line’s impedance through its susceptance, 


B,, and the change in phase angle, @, across the line. 


Our DCOPF model is a simplified, linear representation of the true 
behavior of an electrical power grid. DCOPF only models active power flow, neglecting 
reactive power and transmission losses. Also, DCOPF assumes that changes in voltage 
magnitudes have minimal effect on real power, and can be neglected. (Full power flow 
models exist that account for reactive power flow, transmission losses, and voltages 
drops; however, these models are nonlinear and are much more difficult to solve.) 
Despite the approximations, DCOPF is expected to yield sufficiently accurate solutions 
for AD and DAD problems for our electric-power applications: Wood and Wollenberg 
[1996] state that “DC power flow is useful for rapid calculations of real power flows, and 
...1S very useful in security analysis studies.” Overbye, Cheng, and Sun [2004] and 
Purchala, Meeus, Van Dommelen, and Belmans [2005] conclude that DCOPF is an 
adequate tool for modeling real power flow, noting that the largest deviations from full 
power flow models occur on lightly loaded lines. But, lightly loaded lines will probably 
have only small effects in the AD and DAD problems for electric power. Alvarez [2004] 
compares DCOPF and a full AC power flow model on an electric grid before and after 


interdiction, also concluding that DCOPF yields an acceptable approximation. 


Note: Hereafter, except where specified, “D,” “AD” and “DAD” all refer 


to the electric-power versions of these generic models. 
b. I-DCOPF 


Salmeron et al. [2004-I] develop an interdiction model known as I- 
DCOPF. This model solves the AD problem with DCOPF used as the model for system 
operation. Appendix A.2 contains the formulation for -DCOPF. Various techniques 
have been suggested for solving I-DCOPF including heuristics, conversion to a mixed- 


integer program (MIP), and decomposition methods. 


I-DCOPF is a max-min problem and cannot be solved using standard 
mathematical-programming techniques. Salmeron et al. [2004-II] present a method for 
converting I-DCOPF into a standard maximizing MIP, by first linearizing and then taking 
the dual of the DCOPF problem with additional interdiction variables. Although this 
formulation can solve I-DCOPF on small test grids, the MIP formulation is intractable for 


realistically sized networks. 


Brown et al. [2006] and Salmeron and Wood [2007] present a Benders 
decomposition-based algorithm for solving I-DCOPF. The Benders subproblem is the 
DCOPF model that is first solved for the non-interdicted network. The master problem 
then finds an upper bound on the interdiction problem by optimistically estimating the 
amount of disruption the attacker can inflict based on the DCOPF solution. The master 


problem (MP) can be stated as: 


(MP) max Z 


Sb es f (6?)+ g(p.0) for p=1...., P, 
where p is the iteration number; 6” is the interdiction plan for the p-th subproblem (6 
replaces x in this AD model to avoid confusion with the electrical engineering use of “‘x” 


which typically represents reactance); f (6 4 ) is the minimum total system operating cost 


(generation plus penalty costs) given interdiction plan 6”; and g( p,o0 ) is an upper 
bound on the amount of additional damage that can be inflicted if interdiction plan 6 


occurs after 6”. In particular, g( p,o” )=0, so the p-th constraint (“Benders cut’) 


evaluates f (6 “4 exactly if 6=6”. Otherwise, the p-th cut overestimates disruption and 


therefore MP yields an upper bound on the optimal interdiction plan. The master 
problem also includes interdiction resource constraints, 6 € A, and solution-elimination 
constraints (not listed) which ensure that previously explored interdiction plans are not 


repeated. 


Solving MP produces an interdiction plan,6” , and an upper bound on the 
optimal cost, z”. The DCOPF subproblem is then re-solved with the given set of 
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interdicted components, and another cut is added to MP before solving it again. This 
process is repeated until the lower bound (from the most disruptive interdiction plan 
evaluate through the subproblem) and the upper bound (from the master problem) 


converge. 
C3 THESIS OBJECTIVES 


The purpose of this thesis is to develop a new mathematical model to solve the 
DAD problem for electrical power grids and integrate this model into the Vulnerability of 
Electrical Grids Analyzer (VEGA) optimization module. VEGA is a decision-support 
system [Salmeron et al. 2005; Wood and Salmeron, 2006; Salmeron and Wood, 2007] 
that implements AD algorithms for electrical power grids. It also implements the 


prototype DAD algorithm described by Brown et al. [2006]. 


We also explore a method to reduce the solution time for the I-DCOPF model. 
Successful solution of the DAD problem depends on rapid solution of AD. We evaluate 
how the solution to AD can be expedited by relaxing the impedance constraints in I- 


DCOPF. This enhancement is integrated into VEGA as an added functionality. 
D. THESIS OUTLINE 


Chapter II introduces a model and solution algorithm entitled “Defense of Known 
Interdictions” (DKI) that solves the DAD problem for electrical power grids. Chapter III 
develops and tests a model called “Network Dual Relaxation” (NDR) that improves I- 


DCOPF solution time. Chapter IV presents conclusions and recommendations. 


I. DEFENSE OF KNOWN INTERDICTIONS 


A. INTRODUCTION TO DKI 


The generic DAD model defines a type of a two-person game. Israeli [1999] 
develops a nested algorithm for solving DAD when the inner “D” represents a standard 
shortest-path problem on a network. In this algorithm, the defender proposes a set of 
defended components (network arcs) and the attacker solves the corresponding AD 
problem to find an interdiction set that maximizes disruption (increase in shortest-path 
length) to the defended system. The defender then responds to block the attacker’s 
interdiction plan, if possible, but he is not allowed to repeat any previous defense plan. 
The algorithm identifies an optimal defense plan when the restricted lower bound from 


the defense master problem exceeds the value of the best interdiction plan found. 


This section develops a new model, called “Defense of Known Interdictions” 
(DKI), and uses that in a new iterative algorithm, denoted ADKI, to find optimal 
defensive sets for the electric-power DAD. At each iteration of the algorithm, the 
attacker proposes an interdiction plan consisting of a set of interdicted components. The 
resulting cost (implicitly, disruption) is evaluated by the basic operating (D) model. In 
order to “prevent” a given interdiction plan, the defender must protect at least one 
component from the corresponding interdiction set. DKI uses this fact to find an optimal 


defensive set based on all of the interdiction plans proposed so far. 


If all of the possible interdiction plans (and their disruption levels) can be 
explicitly enumerated, then finding the best defense is relatively easy. At least one 
component from the most damaging (costly) interdiction plan must be defended, and then 
one from the second most damaging interdiction plan, and so on. This is repeated until 
the defensive resource is depleted. This principle is demonstrated in the following 


example. 


Figure 1 shows a simple, six-bus electrical grid. Bus and line parameters are 
included in Tables 1 and 2, respectively. Assuming the attacker will interdict exactly two 


buses, fifteen possible interdiction plans exist. These are enumerated in Table 3. 


(2) 


BOS Bo4 
BOé | BOS 


oo AS B02 


SS cy 





Figure 1.  Six-bus electrical grid to demonstrate ADKI. Buses are labeled BO1-B06. 























Shedding Generation Generation 

Bus Demandd, Cost f, Capacity P°" Cost h 
Name (MW) f - 

($/MWh) (MW) ($/MWh) 
BO1 10 100 25 1.0 
B02 25 100 60 1.0 
B03 15 100 0 0.0 
B04 10 100 15 1.0 
BOS 15 100 0 0.0 
B06 15 100 0 0.0 




















Table 1. Bus data for the six-bus grid in Figure 1. See usage of parameters in the DCOPF 
model in Appendix A. 
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Line / Origin | Destination | Capacity P””* | Resistancer, | Reactance x, 
Name | Bus o(/) | Bus d(/) (MW) (per unit) (per unit) 

L12 BOl B02 60 0.003 0.014 

L16 BOl B06 20 0.033 0.127 

Ls B02 BO3 30 0.050 O19? 

L34 B03 B04 30 0.023 0.088 

L45 B04 BOS 30 0.014 0.061 

L56 BOS B06 25 0.010 0.074 

Table 2.__ Line data for the six-bus grid in Figure 1. See usage of parameters in the DCOPF 


Table 3. 
































model in Appendix A. 
Interdiction Shed Cost Interdiction Shed Cost 
Set (MW) ($) Set (MW) ($) 

{BO1, B02} 75 7515 {B03, B06} 40 4050 
{B02, B04} 65 6525 {B04, B06} 40 4050 
{B02, B06} 65 6525 {B03, B04} 30 3060 
{BO1, BO3} 50 5040 {B03, BOS} 30 3060 
{BO1, B04} 50 5040 {B05, B06} 30 3060 
{B02, B03} 50 5040 {BO1, B06} 25 2565 
{B02, BOS} 50 5040 {B04, BOS} 25 2565 
{BO1, BOS} 40 4050 




















All possible interdiction plans for the six-bus grid in Figure 1 assuming the 
attacker interdicts exactly two buses. Resulting disruption in terms of load shed 
and total cost is included. Duration of the study is one hour. That is, costs are 
evaluated only over the first hour after interdiction. 


Inspection of Table 3 shows that the defender must defend either BO1 or BO2 (or 


both) to prevent the most severe attack. However, B02 is the more intuitive choice 


because it also prevents the second and third most severe attacks. With B02 defended, 


the optimal interdiction set is either {BO1, B03} or {BO1, B04} with a resulting total cost 


of $5040. Defending BO1 instead of B02 results in two possible interdiction sets with 
$6525 of total cost, {BO2, B04} and {BO2, B06}. Similarly, it is apparent that the best 
two-bus defense is BO! and BO2 with a resulting total cost of $4050, and the best three- 
bus defense is BO1, BO2, and B06 with a $3060 total cost. 


Scaparra and Church [2006] utilize this concept of interrupting an interdiction 
plan by defending at least one component to defend a service-supply network. Their 
network contains p facilities and a set of costumers, with each costumer serviced from the 


nearest facility. The purpose of defending the network is to: 


Identify the set of g facilities to secure or “fortify”, so that after interdiction, the 
remaining system operates as efficiently as possible. 


Likewise, they define the interdiction problem as: 


Of the p existing locations of supply, find the subset of r facilities, which when 
removed, yields the highest level of weighted distance. 


The algorithm they develop is based on the following observation: 


Let J be the set of r interdictions in the optimal solution to the lower-level 
(interdiction) problem without fortification. Then the optimal set of gq 
fortifications must include at least one of the r facilities in /. 


Scaparra and Church apply this observation recursively using an enumerative, 
tree-search algorithm to solve for the optimal defense. This algorithm finds the optimal 
interdiction plan for the undefended network (r interdicted components), which becomes 
the root node. One branch is defined for each interdicted component, and that component 
is defended. Next, the optimal interdiction is evaluated for each of the r defended 
networks, and again r branches are defined for each node. This continues until all 


possible defenses are considered (g defended components results in a tree depth of g+1). 


Figure 2 illustrates this concept for the six-bus grid assuming two defended and 
two interdicted components (¢ = r = 2). Interdiction sets are represented with brackets, 


such as {BO1, BO2}, and defensive sets use parentheses, such as (BO1). The notation 


(B02, B01) shows that bus B02 is defended and BOI is not. The optimal defense, 


optimal attack on the defended network, and resulting total cost correspond to the node 


with the lowest total cost (defend (B01, B02), attack {B03, B06}, total cost $4050). 
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Figure 2. 


among those in any incumbent interdiction plan in order to disrupt such an attack. 
However, instead of considering only one worst-case attack at a time (see Figure 2), we 
simultaneously examine multiple interdiction plans including (but not limited to) the 
incumbent optimal to determine the recommended defensive plan. In Section I.1.b we 
described the decomposition-based algorithm to solve I-DCOPF (AD), showing that the 
process generates Benders cuts that correspond to feasible interdiction plans, in addition 
to the optimal one. DKI explicitly uses all known interdiction plans to provide a tentative 


defensive plan. 


{BO1, B02} 


$7515 
( 








(B02, B01) 


{B02, B04} {BO1, B03} 
$6525 $5040 
(B02) (B03) 
{B03, B06} {B02, B06} {B01, B04} 


$4050 $6525 $5040 


Enumeration tree to solve the six-bus example of Figure 1 assuming two defended 
and two interdicted components. Each node shows the optimal interdiction and 
resulting disruption in terms of total cost. 


THE DKI MODEL 


The DKI model uses the same concept of protecting at least one component 
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In the following formulation, we express disruption through total operating cost, 
without loss of generality. (Disruption is simply interdicted operating cost less the 
nominal operating cost, which is a constant.) The DKI model finds an optimal defense 
against a set of known interdiction plans, which will be form a subset of all possible plans 


in practical applications. The DKI model formulation follows: 


Indices and Index Sets: 


peP Subset of all possible interdiction plans 
cec Components that may be interdicted 


Parameters and [units] if applicable: 


Damage, Minimum operating cost given interdiction plan p [$] 
DC, Cost to defend component i [$] 

DR Total defensive resource [$] 

é, 1 if component c is interdicted by plan p, 


0 otherwise 


Decision Variables: 


gz Objective value 
w, 1 if component c is defended, 0 otherwise 
Formulation: 


(DK) min z 


S.t. z 2 Damage, [i Dam] VpeP (2.1) 
>) DC.w, < DR (2.2) 
w.€ {0, 1\ VYcoeC 


z20 
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The objective function, z, represents the amount of damage caused by the most 
severe interdiction plan that cannot be defended against. If at least one component from 


every interdiction plan pe P is defended (6,,, =1 andw, =1 for at least one c in every 
p), then constraints (2.1) imply Z2a, where a, <0 for all peP, and the non- 


negativity of z implies the optimal objective value is z=0. If none of the components 


from a given interdiction plan p are defended, constraint (2.1) implies z 2 Damage, . 
Constraint (2.2) is the defensive-resource constraint. 


The DKI(P) model produces an optimal defensive plan against the known 
interdiction plans peP. The optimal objective value gives the value of the worst 


interdiction that cannot be defended with the given resources. This is a lower bound on 
the optimal objective value to DAD because P is only a subset of all possible interdiction 
plans. DKI can be applied in an iterative algorithm (ADKI) to solve DAD. Constraints 


of the form w#w, for all peP are added to prevent previous defensive plans from 


recurring. Since w,, is binary, these elimination constraints are easy to implement. 


DKI solves quickly. Since only the components for which interdiction plans have 
been generated are considered, this mixed-integer problem is smaller than that of the 
master problem in the -DCOPF model, which, by construction, is very dense. The size 
of the problem can be reduced further by only including proposed interdictions with cost 
above a given threshold. For example, only proposed interdictions with damage greater 


than the incumbent lower bound on the DAD model need be considered. 


Figure 3 shows a flowchart of the ADKI process. The first step is to initialize the 
lower bound (LB) to zero, empty the set of interdiction plans P, and solve I-DCOPF for 
the undefended network. The result is the worst-case attack on the network, and this 
becomes the initial upper bound. The next step is to solve DKI(P). This yields a 
recommended defense plan for the given set of interdiction plans and the cost of the most 
severe attack that cannot be defended, which becomes the updated lower bound. The 
defender cannot lower his cost below this bound without additional resources. With the 


recommended defense plan from DKI(P), the next step is to find the optimal attack 
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against the defended network. If the resulting cost improves the upper bound, the bound 
is adjusted and that defense plan becomes the incumbent solution. The upper bound 
represents the maximum damage that the attacker can cause without using additional 
resources. The upper and lower bound are now compared to each other for convergence, 
providing a termination criterion. The DKI algorithm is solved to find a new defensive 


plan, enforcing the constraint w#w, for all pe¢P, and the above steps are repeated. 


This algorithm eventually produces an optimal defensive plan, a corresponding optimal 


attack on the defended network, and the resulting costs. 
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Figure 3. | Flowchart of DKI algorithm to solve DAD problem. Optimal defensive plan is 
w. 
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Cc. COMPUTATIONAL RESULTS 


We have implemented the DKI algorithm using the Xpress-MP 2006 
mathematical programming system on a 3.72 GHz desktop computer with 3GB of RAM. 
The master problem for the I-DCOPF is exported and solved using CPLEX 10.0. The 
master problem given by DKI, and the I-DCOPF subproblem, are solved by the Xpress- 


Optimizer. 


The test network is the IEEE Three Area 1996 Reliability Test System (RTS 3- 
Area) [[EEE 1999]. This test set consists of 73 buses, 99 generators, 120 lines, and 6 
substations. Substations are not explicitly identified in the RTS test data, but are defined 
as a set of buses interconnected by transformers. This definition allows the attacker to 
simultaneously attack all the components of a substation. Interdiction-resource and 
system-restoration data follow that of Salmeron et al. [2004-I]. One unit of resource is 
required to interdict an overhead line, two units for a transformer, and three units for a 
bus or a substation. Long-term disruption analysis assumes the following repair times: 72 
hours for overhead lines, 360 hours for bus, and 768 hours for a transformer or 
substation. The cost of load shed is assumed to be $1,000/MWh for all customers. Each 
type of component requires the same amount of resource to defend. This may not be 
realistic as the cost of defending an overhead power line may be significantly different 
than the cost of defending a substation. However, the assumption of equal costs suffices 


to demonstrate the methodology. 


Table 4 shows how ADKI solves DAD. These results cover the following 
conditions: RTS 3-Area, only buses are interdicted; nine units of interdiction resource 
(interdict three buses); and six units of defensive resources (protect six buses). This is a 
short-duration study, evaluating only one hour of operation after an attack. For short- 
duration cases, the objective of the attacker is to maximize power disruption; component 
restoration and load duration curves are ignored. For each iteration, the table shows the 


set of defended components from DKI(P), the resulting set of interdicted buses from I- 


DCOPF, the cost of disruption, and the lower and upper bounds on the DAD solution. 


For these conditions, defending fewer than 10% of the buses (six out of seventy-three) 
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reduces the cost of the worst-case interdiction by over 20% ($14.23 x10° to $11.05 x10”). 


In this example, the optimal defense is found at the final iteration. However, that is not 


always the case. It is possible that the algorithm identifies the optimal solution but the 


upper bound requires extra iterations to converge to the value of that optimal solution. 


Figure 4 shows a plot of the upper and lower bound for this problem as a function of 


solution time. 









































; = Cost LB UB 
Iteration Defended Components Interdiction Set ($x10°) | ($x10%) | ($x10°) 
1 Undefended {315, 316, 323} 14.34 8.22 14.37 
2 {113, 215, 223, 315, 316, 318} | {313, 321, 323} 11.73 9.98 LIS 
3 {115, 123, 213, 218, 315, 323} | {215, 216, 223} 12.69 10.18 delet 
4 {118, 123, 216, 218, 318, 323} | {313, 315, 316} 12.01 10.64 11.73 
5 {113, 115, 215, 223, 315, 323} | {118, 218, 318} 11.57 10.70 11.57 
6 {113, 215, 218, 223, 315, 323}| {115, 118, 318} 11.30 10.74 11.30 
7 {113, 118, 223, 315, 318, 323}| {115, 215, 218} 11.05 10.95 11.05 





Table 4. Iterations of ADKI to solve DAD for the RTS 3-Area Case. Only buses are 
interdicted. Three components are attacked and six are defended. Duration of 


study is one hour. 
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Figure 4. | Upper and lower bounds on DAD versus time using ADKI. 


In addition to identifying critical components, decision-makers should know the 
benefit gained by defense. Figure 5 shows the drop in total cost as the number of 
protected components increases. These results are for the RTS 3-Area case assuming 
only buses and substations can be attacked, with interdiction resources of nine, six, and 
three units. When two components are interdicted, defense of one, two or three 
components lowers disruption significantly. The value of defense tapers off then, so that 
defending six components is not much better than defending three. The curve for three 
interdicted components does not exhibit this behavior: defending added components 
steadily lowers the amount of disruption. This type of information is necessary to 


perform cost-benefit analysis when planning to defend a system. 


20 


Drop in Total Cost as Additional Components Are Defended 
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Figure 5. Total operating cost achieved for various amounts of interdiction and defensive 
resources. 


ADKI successfully solves DAD for small networks such as the RTS 3-Area grid. 
The ultimate goal is to solve DAD for realistically sized networks. However, solving 
DAD using the ADKI requires efficient solution of the AD subproblem, i.e., I-DCOPF, 
and our computational experience shows that solving this problem for a large, defended 


network is extremely difficult. 


In fact, the vast majority of time required to solve DAD is spent solving the AD. 
Figure 6 shows a histogram of the fraction of DKI solution time to total DAD solution 
time. This data is from the RTS 3-Area with various combinations of attack and defense 
resource levels. In all cases, the amount of time to solve the DKI model is a very small 
fraction of the total solution time, always less than 1%. Scaparra and Church [2006] 
make a similar observation stating that solving their interdiction model is “the most 
computationally expensive operation of the procedure.” Thus, the primary obstacle to 
solving DAD for large networks is I-DCOPF solution time. The next chapter explores a 


method to reduce this time. 
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Figure 6. Histogram of the time required to solve the DKI model as a fraction of total DAD 
algorithm time. This figure implies that the vast majority of the time spent 
solving DAD by ADKL is spent in solving the AD subproblem. 
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Hl. NETWORK DUAL RELAXATION 


As noted in the previous chapter, the vast majority of computational time required 
to solve DAD is dedicated to solving AD, 1.e., IDCOPF. Consequently, significant 
reductions in DAD computational time can be achieved by reducing I-DCOPF solution 
times. I-DCOPF is solved using a decomposition-based algorithm [Salmeron and Wood 
2007] in which a subproblem and master problem are solved iteratively until the lower 
and upper bounds converge to the optimal value. Improving either the upper bound or 


lower bound can potentially improve total solution time for I-DCOPF. 


With the exception of the admittance constraint, the DCOPF model that is 
embedded within I-DCOPF is an example of a minimum cost network flow problem, 
which can be solved as a MIP or, even more efficiently, by decomposition. Furthermore, 
the admittance constraint is non-linear in the interdiction model, requiring extra 
constraints to linearize in I-DCOPF. Removing the admittance constraint leads to a 
relaxation on DCOPF and the resulting solution would yield a lower bound on the actual 
DCOPF cost. However, our interest is not actually in the disruption provided by the 
relaxed model, but in the solution to I-DCOPF assuming the interdiction set from the 
relaxation. Therefore, the attack plan from the relaxed model can be assessed with 
DCOPF to obtain a more accurate bound on I-DCOPF. If such a model can find an 
acceptable lower bound quickly, overall solution time for the decomposition algorithm 


that solves I-DCOPF should improve. 
A. MAXIMIZING MINIMUM COST IN A NETWORK 


Israeli and Wood [2002] develop a model, Maximizing the Shortest Path (MXSP), 
to solve the AD problem for a shortest path network. MXSP assumes a directed network 
and interdicts arcs. If an arc is interdicted, a penalty is added to that arc length. The 
penalty is made sufficiently high so that no interdicted arc is on the shortest path. MXSP 
is a max-min problem. This is converted into a standard maximizing MIP by temporarily 


fixing the set of interdicted components, taking the dual of the inner (i.e., shortest path) 
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problem with the given interdiction set, and releasing the interdiction set. The resulting 


MIP can be solved by standard techniques. 


Although MXSP is defined for a shortest path problem, the method developed by 
Israeli and Wood can be applied to a more general minimum cost network flow problem. 


The formulation for Maximizing the Minimum Cost Flow (MXMC) follows: 


Indices and Index Sets: 


i,jEN Set of nodes 


(i, j)eA Arcs directed from i to j 


Parameters and [units] if applicable: 


a. Flow cost for are (i, j)[$/ unit flow | 

d,, Additional damage cost to are (i, j)[$ / unit flow] 

b, Net flow (>0 at supply, < 0 at demand, = 0 transshipment)[ flow] 
U, ; Upper bound on flow for are (i, j) [flow] 


Resource required to interdict arc (i, j)[$] 


1 Total interdiction resource [$] 
Variables: 

5, j 1 if arc (i, j) is interdicted; 0 otherwise 
VG Flow on are (i, j) 
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Formulation: 


(MXMC) = maxmin )° (c,,+4,,6,;) y,, 


ju) 


bed ye¥ (At, 
s.t. Yow - Hh, Vie N [z,] 
(i.JeA (jiJeA 
jin: Vij)eA  [-a,,] 
y,, 20 VijjeA  [-a,,] 


The dual variables for each constraint are shown in square brackets. Taking the dual of 


the inner minimum cost yields the following MIP: 


(MXMC-D) max > b,7, - > Mei yg 
WOT en 


OT ie (i, j)eA 
s.t Ti Te hing 8 0; Eis Vii, j)eA 
a,,20 Vii j)eA 
oeA 


B. RELAXED MODEL FORMULATION 


The solution to MXMC identifies an optimal set of arcs in a directed network to 
interdict in order to maximize cost. MXMC can be used to interdict an electrical power 
grid with lines equivalent to arcs and buses equivalent to nodes in a directed network. 
However, I-DCOPF can model interdiction of lines, buses, substations, and generators. 
In order to use the MXMC model to predict interdiction sets for an electrical power grid, 
the grid must be converted to an equivalent directed network. We refer to the resulting 
formulation as the Network Dual Relaxation (NDR) model: NDR converts an electrical 


power grid into a directed network, relaxes the impedance constraint, and implements the 
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corresponding interdiction model. That is, NDR is the same as MXMC-D applied to 


electrical power grids. The steps for converting an electrical power grid into an 


equivalent directed network are: 


Define “infinite capacity” as the sum of all load demand by all customers. 
Electrical buses are represented by two nodes, inlet and outlet, connected by 
an arc with zero cost and infinite capacity. Interdicting this internal arc is 
equivalent to interdicting the bus. All arcs entering the bus enter at the inlet 
node and all arcs leaving the bus leave from the outlet node. 

Electrical power lines are represented by two anti-parallel arcs. An electrical 
power line is equivalent to an undirected arc joining two buses. To create a 
directed network, one arc must originate at the outlet node of each connected 
bus and terminate at the inlet node of the other. These arcs have zero cost and 
capacity equal to the maximum power for the line. 

Define four new nodes: Source, Demand, Generation, and Shed. All flow 
originates at the Source node, passes through either the Generation or the 
Shed node, and terminates at the Demand node. The Generation node is the 
entry point into the electrical network. Flow through the Shed node represents 
unmet demand (i.e. load shedding). 

Create a zero-cost, infinite-capacity arc between the Source and Generation 
nodes and between Source and Shed nodes. 

Create an arc for each generator from the Generation node to the inlet node of 
the corresponding bus. Arc capacity is set to the capacity of the generator and 
cost is the cost of generation. 

Create an arc with infinite capacity and cost equal to the cost of load shed 
from the Shed node to the Demand node. 

Create an arc for each customer demand from the outlet node of each bus to 
the Demand node. The capacity equals demand at that bus, and the cost is 


Zero. 


This process is demonstrated in the following example. Figure 7 shows a simple 


three-bus electrical grid and Figure 8 is the directed-network equivalent. Tables 5, 6, and 
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7 show the equivalent components, costs, and capacities for the DCOPF model using the 


electrical grid and the NDR model using the network equivalent. 


The penalty factor added to each interdicted arc (d, ; in MXMC) is constant for 


all arcs in the NDR model. We set this equal to the cost of load shed and redefine it as 


d.,.4. Since all generation costs are non-zero, this value for the penalty factor properly 


models an interdicted arc. (Excessively large penalty factors can slow NDR solution time 


significantly.) 


The interdiction sets for NDR and I-DCOPF are equivalent in this example. For 


example, interdicting arc (BI, Bloa) in Figure 8 is equivalent to interdicting bus B1 in 


Figure 7. Interdicting a line requires one interdiction variable for both of the associated 
arcs in the NDR directed network. The following two equations demonstrate the NDR 


formulation to interdict line L12: 


Wei 7B, — ABI gy, B2 — A sre 12 <9 


out out “in 


Mp2, — Bly — AF B2ou Blin Asredr12 £9 


‘out 


To interdict substations, we use one interdiction variable in the equations for all 


associated buses. 


As formulated above, NDR only allows for one consumer sector. Additional 
consumer sectors can be modeled by adding a unique Demand node for each. Also, NDR 
does not model multi-period cases with varying loads. We approximate multi-period 


cases by solving NDR for a single aggregate period. 


We do not consider component restoration time in the current NDR formulation. 
When solving I-DCOPF, the interdiction set for a short-duration study may differ 
significantly from that of a long duration study [Salmeron and Wood 2007]. Interdiction 
sets in long duration studies generally consist of components with long restoration times. 
NDR identifies the set of components to interdict that maximizes short-term disruption 
This limitation in NDR can be overcome by only considering components with long 


restoration times (such as buses or substations). The result is analogous to a long- 


Zi 


duration I-DCOPF study. Implementing multi-period cases and component restoration 


into NDR is conceptually easy, and can be accomplished in future research. 


NDR produces a feasible interdiction plan, and solving the DCOPF model with 
that plan implemented evaluates the plan’s cost and provides a valid lower bound on z , 
the optimal objective to [-DCOPF. Our computational experience shows that this bound 
is very good, and often tight: an optimal interdiction plan from NDR is often the optimal 


solution to IDCOPF. This makes the effort to solve NDR worthwhile. 


BI B2 
Di L23 


B3 


D3 


Figure 7. Three bus electrical grid for illustrating NDR formulation. 


28 








Figure 8. | Network approximation for electrical grid shown in Figure 7. Unlabeled arcs 
have zero cost and infinite capacity. 
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DCOPF Model 


Network Equivalent 





Component 
type 
Bus 


Component 


Component 


type 


Component 





Bus 





Bus 


tis 





Line 


{(B ie 2 B2,, ) 2 (B2,,, 2 B lL, ) 





Line 


out? 


{(B2 B3;, ) Z (B3,. ? B2,, )} 





Generator 





Generator 


Consumer 





Consumer 





Interdiction 


Interdiction 





NA 


No equivalent component 


Node 


{Sup, Dem, Gen, Shed} 





NA 


Table 5. 





No equivalent component 


network equivalent model. 


Table 6. 


DCOPF Model 


Arc 





{(Sup,Shed),(Shed,Dem )} 





Equivalent components for three bus sample grid in DCOPF model and the 


Network Equivalent 





Item Cost 


Component 


(Gen,B1,, ) 


Cost 





(Gen,B2,, ) 








(Shed,Dem) 
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Equivalent cost data for three bus DCOPF and network equivalent. 


DCOPF Model Network Equivalent 





Capacity 
Item Component Capacity 
or Demand 


(Gen,B1,, ) 





(Gen,B2,, ) 





(B1,,,,B2,, ),(B2,,.B1,, ) 


out ? out ? 





(B2 


out ? B3., ) ? (B3,. ? B2,, ) 





(BI,,,,Dem) 


out? 





(B3,,,,/Dem) 


out ? 











Table 7. | Equivalent capacity and demand data for three bus DCOPF and network 
equivalent. 


C. COMPUTATIONAL EXPERIENCE 


As with ADKI, we have implemented NDR using the Xpress-MP 2006 
optimization system on a 3.72 GHz desktop computer with 3GB of RAM. The NDR 
MIP is exported and solved using CPLEX 10.0. 

In the following discussion, z represents the true optimal disruption, z(6,) is the 
disruption for the incumbent best interdiction plan (and a lower bound on z’ ) obtained by 
solving I-DCOPF using the decomposition method presented in Salmeron and Wood 
[2007], and z, is the best upper bound on z from the same method. With sufficient 
computational time, z(6,) and Z, converge to z. The disruption resulting from the 
optimal interdiction plan recommended by NDR is denoted z(Syp,). We calculate 


optimality gaps for NDR using z,. We report all disruption in terms of total cost. 


We first test NDR on the RTS 3-Area network. We assume that only buses are 


interdicted. Table 8 shows: Zs) and the time required to reach that solution (typ, ); 
| 


z(6,) and the time required to reach that solution (t,). Also shown is the incumbent 
objective value z(6,) and the deviation from z at typ, - In the case of three interdicted 


buses, NDR exactly predicts z’ after 0.36 seconds. I-DCOPF requires 7.7 seconds to 
find the corresponding optimal solution. In all cases tested, NDR identifies an optimal 
interdiction plan, although this need not be not true in general. This example 
demonstrates that NDR has the potential to produce a quality lower bound for z ina 


fraction of the time required by I-DCOPF. 


NDR I-DCOPF 
Deviation 





Number of : 
Interdicted Z(Ovpr) | Deviation | Z(0,) at type | Of z(6,) 
Buses ($x10°) | from Zz ($x10°) from 


Z~ atria 





























Table 8. Solution times and resulting objective values for NDR and I-DCOPF. Test case is 
RTS 3 Area, only buses are interdicted. t, is the time for I-DCOPF to find the 


optimal interdiction, convergence requires additional time. 


Next we test NDR on a portion of the North American power grid. The region 
considered consists of 5,000+ buses, 6000+ lines (including 1000+ transformers), and 
500+ substations. Total system load is close to 70,000 MW, and there are 90,000+ MW 
of available generation distributed in 500+ generating units. For the purpose of this 


paper, we refer to this region as the Large Sample Grid (LSG). 


We approximate a three-step load-duration curve at each bus consisting of a peak 
period covering 20% of the time, a normal period covering 50% of the time during which 
demand is 75% of peak, and a “valley period” covering 30% of the time during which 
demand is 45% of peak. We also make the cost of load shed dependent on the period, 
with values 1,000, 800 and 500 $/MWh, respectively. Since NDR does not model 
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multiple periods, we approximate the solution using the peak demand period. The 
duration of this study is 360 hours which is sufficient time to restore all interdicted 


components. 


For this test, we again assume that only buses are interdicted. Each scenario runs 
for 100 minutes (6000 seconds) or until a gap of ¢ = 1% is reached, whichever occurs 


first. 


Table 9 displays results for this test. In the case with three interdicted buses, I- 
DCOPF outperforms NDR both in speed and quality of solution (z(6,)>z(Oypp) ). In all 
other cases, NDR predicts interdictions at least as good as those found by I-DCOPF, 
always with significant time savings. I-DCOPF only converges within the allotted 100 
minutes in the case with two interdicted buses. The best upper bound on optimal cost 
(Z, ) is shown for the cases in which I-DCOPF did not converge. Comparing the solution 
of NDR to the best bound from I-DCOPF shows how close NDR is to the true optimal 
solution. In the case of four interdicted buses, both the NDR and I-DCOPF objective 
values are within approximately 15% of the true optimal value. A similar calculation 
shows that the NDR objective value is within approximately 20% of the true objective 
value for the case with seven interdicted buses, while the I-DCOPF objective value is 


only within 58%. 
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Number NDR 





Interdicted Z(Onpp) 2(0,) al typr 
($x 10°) ($x10°) 





























Table 9. — Results for NDR and I-DCOPF applied to the Large Sample Grid. The t, column 


gives the time for I-DCOPF to find the incumbent interdiction plan. Maximum 
allowed time is 6000 seconds. The best bound on cost (Z, ) is shown for the cases 


when I-DCOPF does not find the optimal interdiction in the allotted time. 
Duration of study is 360 hours. 


NDR has great potential when studying interdictions against defended networks. 
Solving I-DCOPF for a realistically sized, defended power grid is extremely difficult and 
is the principal obstacle to solving DAD. To illustrate this, we repeat the above 
experiment on LSG but with ten buses defended. Again we assume that only buses are 


interdicted and we limit each scenario to 100 minutes of computation time. 


Table 10 displays the results of this experiment. For all of the cases considered, 
NDR outperforms I-DCOPF in terms of solution speed and solution cost. I-DCOPF does 


not converge within the allowed time for any of the cases. 


Table 11 shows the optimality gap for z(d,,) and z(6,) for both the undefended 
and defended network (based on the data in Tables 9 and 10, respectively). The 
optimality gap is based on Z,, the best upper bound on z found by I-DCOPF in the 
allotted time. The optimality gap for -DCOPF on the defended network is significantly 
larger than that for the undefended network, demonstrating that, for these scenarios, the 
defended network is more difficult to solve. Although the values for NDR show a 


general upward trend between undefended and defended, the effect is not as pronounced 


as for I-DCOPF. 
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Number of I-DCOPF 


Interdicted tnpr ZOnpp ) z(0, ) at ype t z(0, ) Z, 
Buses (sec) | ($x10*) ($x 10°) (sec) ($x 10°) 


178 2.50 1.84| 4673 2.42 














Table 10. 


Table 11. 

















Result of NDR and I-DCOPF for the Large Sample Grid with ten buses defended. 
NDR outperforms I-DCOPF in terms of speed and quality of solution in all cases. 
I-DCOPF reached the maximum allowed time of 6000 seconds in all cases. The 
duration of this study is 360 hours. 


Nuimberot Optimality Gap for Optimality Gap with Ten 
Interdicted Undefended Network Buses Defended 


Buses NDR I-DCOPF NDR I-DCOPF 


























Optimality gap for NDR and I-DCOPF for undefended and ten-bus defense. 
Optimality gap is based on Z, ,the best upper bound on z found in the allowed 


6000 seconds and the lower bounds z(6,y,) and z(6,) from the NDR and I- 
DCOPF, respectively. 


The DKI algorithm for DAD can be implemented with NDR solving the AD 


subproblem. The danger with this is that NDR may under-predict the disruption of a 


given interdiction plan, thus over-predicting the value of that defense. However, the 


rapid solution times of NDR make it a useful adjunct for studying DAD, and we solve 


DAD here, approximately, for the LSG Area using this technique. We only consider 
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substations, with sufficient resources to interdict five and defend ten. We allow fifty 
iterations of the NDR-DKI interaction, and choose the best three defenses for further 


analysis using I-DCOPF (the fifty iterations required approximately 5.5 hours of 


computational time). Figure 9 shows the total cost, z(Oypp) , at each iteration, and Table 


12 shows the complete results, including z(d,,), peak power shed, and total energy 


shed, for the top three defensive plans as well as for the undefended case. We evaluate 


the top three defensive plans using I-DCOPF with a maximum computation time of eight 
hours. Table 13 shows the results: z(d,) and Z, (the lower and upper bound on Zz, 
respectively), and optimality gap. For example, with Defensive Plan 1, z is bounded on 
the interval [5.48, 8.53] ($x108), which is an improvement over the undefended case. 


Figure 10 plots the upper and lower bound on z’ for Defensive Plan 1 using I-DCOPF, 


demonstrating the slow rate of convergence of the upper bound. 


Total Cost vs Iteration Using NDR and DKI to Solve DAD 


1.20E+09 





LSG Area 

interdict 5 Substations 
Defend 10 Substations 
1.00E+09 + 


8.00E+08 + 


& 
par 
a 
° 
(S) 
3 
& 
° 
| 


4.00E+08 - 


2.00E+08 + 








0.00E+00 





0 
Iteration Number 





Figure 9. —_ Iterations to solve DAD for the Large Sample Grid Area using NDR and DKI. 
Five substations are interdicted and ten defended. The optimal defense is found at 
iteration 2. Defensive plans considered at iteration 1 and 44 are the second and 
third best respectively. Iteration O is the undefended case. 
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Defensive } Iteration Zz (Oss ) 
Plan Number | ($x10°) 




















Table 12. | Complete results for top three defensive plans and undefended case from Figure 
9. The iteration number corresponds to the iterations of Figure 9. 


z(0,) zy Optimality 
($x 10°) ($x 10°) Gap 

















Table 13. Results of -DCOPF for LSG Area using the best three defensive plans from 
Figure 9. Maximum algorithm time is 8 hours. z(6,) and z, are lower and upper 


bounds, respectively, on the true optimal solution. 
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Upper and Lower Bounds from I-DCOPF 





2.00E+09 
LSG Area 
Interdict 5 Substations 


1.80E+09 4 : 
* Defensive Plan 1 


1.60E+09 + 


1.40E+09 + 
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° 
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° 
| el 


8.00E+08 4 
6.00E+08 4 
Lower Bound 


4.00E+08 


2.00E+08 








0.00E+00 





0 
Time (hours) 





Figure 10. Upper and Lower Bound on z from I-DCOPF for Defensive Plan 1, showing the 
slow rate of convergence of the Upper Bound 
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IV. CONCLUSIONS AND RECOMMENDATIONS 


This thesis has developed mathematical models to identify optimal sets of 
components in an electrical power grid, the defense of which would minimize the 
disruption caused by an adversary’s attack. The ultimate goal of this research is to apply 
these models to actual systems in an effort to enhance the resilience of the U.S. electrical 


power grid. 


In a trilevel defender-attacker-defender (DAD) model, a defender attempts to 
minimize potential damage to a system by protecting key components with limited 
(defensive) resources, while an attacker seeks to inflict maximum damage by destroying 
vulnerable components using limited (offensive) resources. With fixed defenses, the 
DAD problem becomes a bilevel attacker-defender (AD) problem that optimizes system 
interdiction given optimal, post-interdiction, system operation. Previous research has 
developed optimization models, called I-DCOPF, to solve (or approximate the solution 


of) the AD problem for electrical power grids. 


We develop the “Defense of Known Interdictions” model (DKI) that is part of a 
decomposition algorithm that can solve the defensive DAD problem for realistically- 
sized electrical networks, provided that I-DCOPF can be solved efficiently. 
Unfortunately, a lack of efficiency in this regard proves to be a major obstacle. Our 
computational experience indicates that solving the I-DCOPF model for a large network 
is extremely difficult, and this difficulty greatly increases when a select group of grid 


components are defended. 


We explore one method to reduce the solution time for -DCOPF. Currently, I- 
DCOPF is solved using a decomposition-based algorithm in which a coordinating 
(master) problem and an operating (sub-) problem yield upper and lower bounds, 
respectively, on the optimal solution. By relaxing the electrical impedance constraints in 
the operating problem, we approximate electrical power grid behavior as a minimum cost 
network flow. Using this approximation, we develop a model called Network Dual 


Relaxation (NDR) that quickly generates a solution that may be close to the optimal 
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solution of the original I-DCOPF, and could be solved even faster by decomposition (not 
implemented in this work). For the scenarios tested, NDR produces high-quality lower 
bounds; currently, however, the only way to guarantee such quality is by solving the 


exact I-DCOPF problem. 


We recommend that future research implement load-duration curves and 
component restoration into NDR. This would allow NDR to better approximate I- 


DCOPF solutions for both long and short-term problems. 


We also recommend that future research examine methods to improve the upper 
bound for I-DCOPF. A model that quickly predicts the upper bound for I-DCOPF, 
coupled with NDR, could greatly reduce I-DCOPF solution times and help solve 
realistically-sized DAD problems, and help with the final goal of enhancing the security 


of the U.S. electrical power grid. 
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A.l 


APPENDIX A. DCOPF MODEL 


DC OPTIMAL POWER FLOW MODEL 


From Salmeron, Wood, and Baldick [2005] 


Single-Period Case 


Sets: 
iel 


iel° 


ler 


set of buses 

subset of reference buses (| J° |=number of islands in the system) 
set of generating units 

subset of generating units connected to bus i 

set of AC transmission lines (and transformers modeled as AC lines) 
set of DC transmission lines 


subset of AC and DC lines connected to bus i 


subset of lines in parallel with line / 
set of consumer sectors 

set of substations 

subset of buses at substation s 


subset of AC and DC lines connected to substation s (including 


transformers, which are represented by lines) 


Parameters (units, if applicable): 


ol), d(l) 


i(g) 


origin and destination buses, respectively of AC or DC line / (more than 


one line with the same o(/), d(/) may exist) 


bus for generator g,i.€., ge Ge 


4] 


LH, 


Tee 


substation s € S associated with bus i € /, 

load of consumer sector c at bus 1 (MW) 
transmission capacity for AC or DC line 7 (MW) 
maximum output from generator g (MW) 


resistance and reactance of AC line /, respectively (p.u.). (We assume 
Lh) 
series susceptance for AC line /, calculated as B, = x, (7 +x7) (p.u.) 


resistance (Q), set point (MW) and scheduled voltage (kV) for DC line 


1, respectively 


transmission coefficient (= 1 — loss coefficient) on DC line /, calculated 


as  =1-I°R/ P=1—P°R/I(E*P) =1—PR/E’ (p.u.) 
generation cost for unit g ($/MWh) 


load-shedding cost for customer sector c at bus i ($/MWh) 


Decision variables (units): 


Gen 
P, 
pe 


U,V, 


generation from unit g (MW) 
power flow on AC line 1 (MW) 


power flow from the “from” to the “to” bus or vice versa, respectively, 
for DC line 1 (MW). Remark: DC lines are modeled as follows: If 


U, 20 MW are sent from the “from” bus, then (1—,)U, MW are 


received at the “to” bus. Similarly, we use V, 20 to model flow from 


the “to” bus to the “from” bus. 


load shed (unmet) for customer sector c at bus i (MW) 
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0, phase angle at bus 7 (radians) 


t 


Formulation: 
DCOPF): hep = /MWh Al 
( am RD dt Ds 2a, fed 7s ($ ) (A.1) 
S.t. 
P= B ,y —yp) VleL (A.2) 
>» Pe _ >» pee ae » Pe ce 
oi dei 
(A.3) 
SS (-U,+ “V+ > (u,U,-V,) = os (d,,-S,.) Viel 
leD"| lepP©| cld,,>0 
o(1)=i d(l)=i 
— ptr < pee < pee V1 E LULPS (A.4) 
Gen Gen Dp Gen . 
ES Se Vi,Vg €G, (A.5) 
O<S,.<d,. Vi,cld,, >0 (A.6) 
0,=0 Viel (A.7) 


Remark: If all DC loss coefficients and all generating costs are non-zero, an optimal solution 
to the above model should not contain any crossed-flows (ie., U; >0,V, >0 simultaneously) 


on the DC lines. However, if any of those hypotheses fails, multiple optimal solutions may 
occur, some of which may involve crossed-flows on the same DC line. To ensure the output is 


displayed correctly, the following post-processing of the solution can be made: 


Power across DC line /= wU,-wV,, VE LD. 


Multi-Period Case 





Our DCOPF model must be extended to consider periods (or blocks of hours) for 


two reasons: 


(1) Demand variation. DCOPF must accommodate changes when we consider a staircase 


function to represent our load-duration curve (LDC), 


(2) Repair times. As the system is restored after interdiction, the grid topology undergoes 


changes that must also be incorporated into the DCOPF model. 
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Each combination of an LDC’s period-subperiod pair and a restoration stage involves a new 
DCOPF computation. In what follows, we generically call each of these triplets a “Time Period,” 
or simply a “Period” (which must not be confused with the period-subperiod structure for the 
LDC). 

According to the above, we must extend our notation for the single-period DCOPF in order to 
capture changes in our data (load and shedding cost) and our decision variables (all of them) for 
each of these periods. 


We need substantially new notation for the problem with time periods. 


New sets and parameters: 
teT, set of periods 
D 


Ns duration of period t (hours) 


Extended parameters and variables: Same definition as in single-period DCOPF, but now for 


every period ¢: 


Gen Line 
Dies Ties P, ? P; > UV, ? Sine 0, 
Model changes: 
(DCOPF): _ min mpl Dane +E >. hee ($) 
BO SU MG g i cld,,>0 


Notice that the new objective factors in the duration of each level of disruption, given by 


different amounts of load shedding, S,,. and their costs, f,,, which are period-dependent. 


tic? 

Likewise, assuming a given interdiction plan, the new constraints for each period must reflect 
those in (A.2)-(A.7), replicated for every period f, but ensuring that only the non-interdicted or 
repaired components are included in the model. However, in order to establish such formulation 


formally, we must first introduce new notation, which in turn will allow us to formulate the 


interdiction model. 
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A.2 INTERDICTION MODEL 


New sets and parameters: 
G cG, LcLUL”™, I’ cI, S’ CS, subsets of interdictable generators, lines, 
buses, and substations, respectively. These are “directly interdictable components.” 


oe LUG UB US’ , set of all (directly) interdictable elements. 
G’cG, EP cLuLl’, cl, S”" cS, subsets of directly or indirectly 
interdictable generators, lines, buses, and substations, respectively. 
1, if component e remains unrepaired in time period ¢ after being attacked 
0, if component e is repaired before time period ¢ after being attacked HO} 


Li Bie a6 Sub aad 
teT, ee&. Remark: £7", £.", eee and £° denote £,, when e=! is line, or 


e=/ is a bus, or e=g is a generator, or e=s is a substation, respectively. 


by <LUL, subset of lines that might remain interdicted (directly or indirectly) in 
period ft. Constructed as follows: 
leL, if either: 

pe =1, or 

B.;" =1 for some ill € L;"", or 

B°° =1 for some s IJ € L*”, or 

Bi =1 for some I lI € L;"” 

G. <G,, subset of generators that might remain interdicted (directly or indirectly) in 


period ¢. 


I 7 " <I, subset of buses that might remain interdicted (directly or indirectly) in period t. 


S <i CS, subset of substations that might remain interdicted (directly) in period t. 
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gba 
it-| 


O otherwise 

qin lifle L 

tl ‘i 
O otherwise 

aoe lifgeG 
0 otherwise 


18 = 


qe lifgeG, 
O otherwise 


c= 


ql lifiel 
0 otherwise 


Ss 


4s lifseS” 
0 otherwise 


40 lifiel° 
O otherwise 


G Li Bus Sub , f ‘ , F 
M o ,M,"", M,"’, M°’: resource required to interdict generator g, line /, bus i, and 
substation s, respectively. 


M, total interdiction resource available to terrorists. 


New decision variables: 


om On Oo,” ; é° A binary variables that take the value 1 if generator g, line /, bus i or 


substation s, respectively, are interdicted, and are 0 otherwise. 
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Interdiction Model 





Here, we introduce the model that will be referred to as the (linearized) interdiction model, 
I-DCOPF. This formulation linearizes the admittance equation in presence of interdiction. For 
example, if a line can be interdicted by attacking the line or the buses that it connects, the 


admittance equation would be 
P=BG 9-30-60 6,4) = O45)» 


where the (1-6) terms force the power across the line to be zero if the line is interdicted, without 
imposing any further restriction on the phase angles at each connecting bus. To linearize the 
right-hand side of the above equality, we consider the two following linear constraints: 
B-Boy — 9g) SM, + 65 + Oa) 
P= BG, =0,))2-M, 0,406, 4035). 
where M, can be taken as M,=P.+B, 0 5),a) > and 6, ; 1S an upper bound on the absolute 
value of the maximum phase angle difference between adjacent buses i,k (e.g., 0, =1 radian). 


The I-DCOOPF model formulation is: 
(I-DCOPF): max min SD): dh, Feet a py Tete ie 


5 (por pine S BUN) For 


di i> 


S.t. 
BS —B, (6.1 ~6, 1) me M, (Aen One De Bre oes + » po ae 
iel “exp seS" ely” 
ye Boy) VlEL,Vt 


el |ely" 


Line Line Line ¢Line Be aaa ge ae 
Py — BG. oa) 8.4) 2—M (A, Bi 6; + ye iO; oe oO, 


ier fas seS “Tex 
» aya 
pro) VIEL, Vt 
lel ely" 
Gen Pp Pir + 

Dene ep De 
geG, leLo(l)= i leL|d(1)= i 

> A +HV)+ DY wv, -V)+ YE S0= > dy, Wit 

1eLP| 1elP"| cldje>0 cld,j.>0 


tic tic 


o(1)=i d(l)=i 
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pe < pin 
pe z pin de ou") 
pe Re (i= 6™) 
pe < pe (l— 65) 
pe < pine a oe 
i > =p 

pe a pee ad ae ) 
pe > pin ae oe) 
Pe —_ pin (— 5 Si 
js > pin (l— eine) 
ue < pe 

ui < Fm -o) 
Us < pure (— oe) 


Uae < Pe (l —5*") 


Oh Z p™ G2 gui) 
Ve < pine 

vile < pie gti) 
lg < pure a 6) 
we < pe a 6) 
ve < pe d- eu) 
poespo 

pe < pe a as 
pe < pe as 5m) 


Gen HGen Sub 
ne = 
re SE 8yGey) 


Vile L\L, 
ViLELELAL. Bri =1 
Vt,L,i (ef. leLOL”, 87° =| 





Vt,LslseS",leLAL”, 8 =1 





VtLU|leL WELL”, Bir" =I 
Vt,leL\L, 

VALELAL, pi" =l 
Vile? 1eELal” pS 


t, 





Vinslees" Le LAL, pe =1 





v1.1 10] EL ll EeLaly”, Bi" ai 
WELeL NL, 
VileleL aL, Bi"=1 








Vt,LilieD’, LeDo ALP, 88 =1 
VtLs\seS leL ool”, BY =1 
Vt,LUWeL MeL A”, Bi =1 





VileL \i, 
VileleD SOL, Bi"=1 
ViLiiel, LED AL", Bi" =1 





Whls\s=S feb AL pHi 





ViLMWleL Hel AL” BF =!1 
Vt,g¢ G 
Vtglge G pr=l 


Vt, gli(g)el’, Be =1 
Vt, g|s(i(g)) €S", Bm. =I 
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Das, Vt,i,cld,,.>0 

6,,=0 Vtiel 

Po" >0 Vtg 

Pi" unrestricted VtleL 

Ur” >0 VtleL 

V7 20 Vile L 

S20 Vt,i,cld,,.>0 

0,, unrestricted Vti¢T° 

> Mee a + pa fea ims 4a Me of an De Ms oe <M 
geG leL* iel” seS” 


All & variables are binary {0,1}. 
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